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AMENDMENTS TO THE CLAIMS 

The following listing of claims replaces all prior versions and listings of claims in the 
application. 

Listing of Claims ; 

8. (Currently Amended) A high-performance specification resolution method for use 
in detecting attacks against computer systems x comprising: 

a) formu l ating receiving audit conditions to be detected using non-limiting 
specification formulas expressing fraudulent entry or attack patterns or abnormal operations, 
to be verified by examining the-records of a log file of trre-a_computer system; 

b) expanding said formulas into subformulas for each record ; 

c) scanning by an interpreter, and generating, for each expanded formul a in ooch 
record , Horn clauses to resolve in order to detect whether or not the formula is valid in the 
for each record, the Horn clauses expressing the-implications resolvent of the subformulas 
for each record scanned[[,]] in positive clauses , i.e. counting only having a positive literal 
and in non positive negative clauses having , i.e. counting at least one negative literal; 
which ncgotivc literals form the negative port of the c l ause ; 

d) storing the positive H orn clauses in a stack of worked s ubformulas, aftd 

storing, in a table of clauses, comprising a representation_o f, i mplicating 
subformu l a(s) constituting the negative port of the clauses and the l ink with the imp l icated 
subformu l a(s) constituting the positive part of the clausesj-afrd 

storing,, in a table of counters, the-a_number of formulas or subformu l as present in 
the negative literals in each negative part of the claus e for each implicated subformu l o ; 

e) resolving the table of clauses based on each positive claus e encountered, so as to 
generate either an output file or an action of the computer system; 

f) iterating steps b) through e) until the scanning of all the records in the log file is 
complete. 

9. (Currently Amended) A -The method according to claim 8, choroctcrizcd in thot a 
wherein t emporal logic is used for the formulation of the specification. 
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10. (Currently Amended) A-The method according to' claim 8, choractcrizcd in thot 
wherein t he table of clauses is a matrix ond is indexed in columns by subscripts of the 
formulas appearing in the negative part of the Horn clauses, and the l ines arc indexed in 
lines by subscripts of the formulas appearing in the positive H em-clauses exact l y . 

11. (Currently Amended) A -The method according to claim 8, characterized in that 
wherein t he table of clauses is preferably represented in the form of a sparse matrix, the 
columns being represented by means of chained lists and the implicit l ines . 

12. (Currently Amended) A -The method according to claim 8, characterized in that 
a step for further comprising optimizing the expansion of the formulas is obtained through 
using a hash table to ensure that the same ajormula is not expanded more than once in 
each record. 

13. (Currently Amended) A -The method according to claim 9, characterized in that 
a stop for f urther comprising optimizing the expansion of the formulas i s obtained through 
using a hash table to ensure that the same ajormula is not expanded more than once in 
each record. 

14. (Currently Amended) A -The method according to claim 8, characterized in that 
wherein the log file is scanned only once from beginning to end. 

15. (Currently Amended) A computer system comprisingi 
storage meansi and 

meafts -a processor, coupled to the storage means, f or executing programs fef 
implementing a high performance resolution method for de l eting detecting attacks against 
the system wherein the method processor operates to : 

a) formulates receive audit conditions to be detected using non-limiting 
specification formulas expressing fraudulent entry or attack patterns or abnormal 
operations, to be verified by examining the records of a log fil e of the computer 
sy s tem ; 

b) expand[[s]] said formulas into subformulas for each record ; 

c) scan[[s]] by an interpreter, and generate[[s]], for each expanded formula 
in each record , Horn clauses to resolve in order to detect whether or not the formula 
is valid i n the for each record, the Horn clauses expressing the-implications resolvent 
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of the subformulas for each record scanned|L]] in positive clauses , i .e. counting only 
having a positive literal* and in non positive negative clauses , i.e. counting having at 
least one negative literal , which ncgotivc l itera l s form the negative part of the 
clause ; 

d) store[[s]] the positive H orn clauses in a stack of worked subformulas, and 

storing, 

store, in a table of clauses, comprising a representation ^, imp l icoting 
subformu l a(s) constituting the negative port of the clauses and the l ink with the 
imp l icated subformu l a(s) constituting the positive part of the clauses, and 

store[[s]] x in a table of counters, the-a_number of formu l as or subformu l as 
present in the negative literals in each negative part of the claus e for coch imp l icotcd 
subformulo ; and 

e) resolve[[s]] the table of clauses based on each positive clause 
encountered , so as to generate either an output file or an action of the computer 
systems 

an adaptor for trans l ating information from a l og fi l e formu l ated in the specific 
l anguage of the machine i nto a language comprehensib l e to an interpreter; 

the i nterpreter receiv i ng the i nformation from the adapter and receiving the 
formu l ation of the specification in a tempora l logic in a specif i cation formu l a i n order to 
expand said formu l a and fi ll i n the tab l e and the stack of worked subformu l as stored in a 
memory of the computer system and resu l ting from the scanning of the computer system's 
log fi l e; 

a c l ause processing a l gorithm executed by the computer system, for resolving the 
H orn c l auses using the information from the table and the stock of worked subformu l as, said 
c l ause processing a l gorithm generating on output fi l e or generating an action . 

16. (Currently Amended) A-Ihe_computer system as defined in according to claim 
15 wherein the-temporal logic is used for formulation of the specification. 

17. (Currently Amended) A-Ihe_computer system os defined in according to claim 
15, wherein the table of clauses is a matrix and is indexed in columns by subscripts of the 
formulas appearing in the negative port of the Horn -clauses, and the l ines are in lines by 
subscripts of the formulas appearing in the positive H em-clauses cxoctlv . 


Page 4 of 8 


Atfy Dkt: T2153-906593 

18. (Currently Amended) A-Jhecomputer system ns defined in according to claim 
15, wherein the table is preferably represented in the form of a sparse matrix, the columns 
being represented by means of chained lists and the imp l icit lines . 

19. (Currently Amended) A-The_computer system as defined in according to claim 

15 including a hash table to ensure that the same ajormula is not expanded more than 
once in each record. 

20. (Currently Amended) A -The computer system as defined in according to claim 

16 including a hash table to ensure that the same ajormula is not expanded more than 
once in each record. 

21. (Currently Amended) A-Thecomputer system as defined i n according to claim 
15 including means for scanning the log file only once from beginning to end. 

22. (New) The computer system according to claim 15, wherein the programs 
executed by the processor include: 

an adaptor module for translating information from the log file; 

an interpreter module for receiving the information from the adapter, receiving the 
specification formulas, expanding the specification formulas, and filling in the table of 
clauses, table of counters and the stack of worked s ubformulas stored in the storage means; 
and 

a clause processing module for resolving the Horn clauses using the information from 
the table of clauses, the table of counters and the stack of worked subformulas, the clause 
processor generating the output file or generating the action. 
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